This presentation provides information about the Pegasus cyber espionage tool, how it works, and how to protect against it. It discusses that Pegasus is zero-day spyware for iOS, exploits vulnerabilities in iOS to gain access to devices, and allows access to calls, messages, and all data. It also summarizes that the mobile threat defense company Skycure uses techniques like behavioral analysis and patching vulnerabilities to detect and block threats like Pegasus in order to prevent device compromise and data exfiltration.
1. Title of Presentation DD/MM/YYYY 1
Understanding the
Pegasus Cyber Espionage Tool
What you need to know
about Pegasus Spyware
& How to protect yourself
from this and other threats
2. Title of Presentation DD/MM/YYYY 2
Agenda
• Top 5 things to know about Pegasus
• The Story of Pegasus
• Technical details of Pegasus/Trident
• The Hacking Process & The Kill Chain
• How does Skycure protect your organization?
• Q&A
3. Title of Presentation DD/MM/YYYY 3
Top 5 things to know about Pegasus
1. Pegasus is zero-day spyware for iOS
2. Pegasus is a low probability, but high impact threat
3. Apple’s iOS 9.3.5 update will not detect or remove Pegasus
4. Pegasus exposes ALL messages, calls, emails, data,
communications, audio, video…
5. Existence of other exploits like Pegasus is very likely
4. Title of Presentation DD/MM/YYYY 4
Colliding Trends
CYBER
ATTACKS
PC Mobile
Spam Targeted
Annoying Financial gain
Android iOS
MOBILE
TECHNOLOGY
Call + text + mail + everything
Corporate BYOD
Convenience Productivity
Work hours Always on
BEST
INFILTRATION
AND ESPIONAGE
DEVICE EVER
5. Title of Presentation DD/MM/YYYY 5
The Story
THE
PLAYERS:
WHAT
HAPPENED:
NSO
Group
Cyber war
software
UAE
(suspected)
Nation state
Ahmed
Mansoor
Human rights
activist
Citizen
Lab
Research
laboratory
Apple
Mobile
devices
Found
vulnerabilities in
iOS (didn’t report)
Pegasus, a zero-
day “lawful
intercept” spyware
product for
governments,
exploits 3 iOS
vulnerabilities to
jailbreak and take
over mobile
devices
Purchased
Pegasus from NSO
to spy on Ahmed
Mansoor
Send an SMS
message with a
malicious URL
capable of
completely
compromising his
mobile device
Smartly, did not
click on the SMS
link
Contacted Citizen
Lab for forensic
analysis
Recognized exploit
as an NSO product
Analyzed the
exploit
Contacted Lookout
for support in the
analysis
Notified Apple of
Vulnerabilities
Patched the three
vulnerabilities and
released iOS 9.3.5
update
Filed CVE reports
6. Title of Presentation DD/MM/YYYY 6
Trident: 3 Zero-Day iOS Vulnerabilities
• CVE-2016-4657: Memory Corruption in WebKit
- Vulnerability in Safari WebKit allows the attacker to compromise the device when the user clicks a link
• CVE-2016-4655: Information Leak in Kernel
- Kernel base mapping vulnerability that leaks information to the attacker that allows him to calculate
the kernel’s location in memory - circumvents KASLR
• CVE-2016-4656: Kernel Memory corruption leads to Jailbreak
- Kernel-level vulnerability that allows attacker to corrupt memory in a function, disabling the code
signing requirement to silently jailbreak the device and install surveillance software that runs as if it
were part of iOS.
- Allows attacker to circumvent all security measures
7. Title of Presentation DD/MM/YYYY 7
The Surveillance
Kernel
App 1 App 2 App 3 App 4
Internet
Cloud Services
Corporate services
Command &
Control Center
Data encryption Containers VPNs
End-to-end encryption Secure email
✗
✗
✗
✗
? ✗
8. Title of Presentation DD/MM/YYYY 8
Exploits Kernel and Legitimate Apps
Legitimate apps are patched in memory, not replaced by malicious apps.
App patching is not required for Pegasus to spy, but it provides context.
9. Title of Presentation DD/MM/YYYY 9
Emphasis on Stealth
Pegasus features designed to avoid detection
• Throttle bandwidth based on connection
• Operate certain functions when idle
• Automatically uninstall if any chance of discovery
• Automatically reverts to a legitimate website if exploit fails
• Anonymizing proxy chain to obfuscate Command and Control
“In general, we understand that it is more important that the source will not be
exposed and the target will suspect nothing than keeping the agent alive and working.”
- NSO Group documentation
10. Title of Presentation DD/MM/YYYY 10
Skycure Mobile Threat Defense
Mobile Threat Intelligence Platform
Physical
Network
Vulnerabilities
Malware
• Advanced security
• Management console
• Automation & integration
Security Visibility IT Satisfaction
Server-Side
• End-user satisfaction
• Detection & protection
• No “Private APIs”
Seamless
experience
Privacy Minimal
footprint
End-User App
11. Title of Presentation DD/MM/YYYY 11
The Cyber Kill Chain
CYBER KILL CHAIN
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Actions on Objectives
• Study the target, gather intelligence
• Design and build the exploit, research vulnerabilities
• Social engineering – SMS, email, etc.
• Execute infiltration, exploit vulnerabilities
• Install malware
• The “spy” receives information and may control the device
• Exfiltration, theft, ransom, etc.
Pegasus was
stopped here
✗
12. Title of Presentation DD/MM/YYYY 12
How Skycure Interrupts the Kill Chain
CYBER KILL CHAIN
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Exfiltration
• Study the hacker – gather intelligence on them
• Protect against disclosed and undisclosed vulnerabilities
• Protect unsuspecting users (i.e. SMS/MMS like Stagefright)
• Static & dynamic analysis, system integrity checks
• Block installation, detonate in a safe environment
• Active Honeypot patent, who is the device talking to?
• Block critical enterprise resources, recognize attackers
when they use what they stole
14. Title of Presentation DD/MM/YYYY 14
What to do now
Install Skycure – it’s free
Contact Skycure
Email: pegasus@skycure.com
Call: 1-800-650-4821
1
2
If Pegasus is found
TURN THE PHONE OFF
3
15. Title of Presentation DD/MM/YYYY 15
The Rest of the Story
• Announcement about Pegasus after the Apple patches (August 25, 2016)
• Security companies add Pegasus detection
- Skycure already detected Pegasus (just added the name)
• NSO is not out of business (nor are others)
• Other exploits are out there – and more will come
• Can you afford to wait until the next announcement?
• There are no guarantees, but you can reduce your risk
16. Title of Presentation DD/MM/YYYY 16
Request a free Pegasus assessment
get.skycure.com/pegasus-spyware-assessment
Q&A